Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 23:21
Static task
static1
Behavioral task
behavioral1
Sample
299387006f4c53e094801accf2038d6a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
299387006f4c53e094801accf2038d6a_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
299387006f4c53e094801accf2038d6a_JaffaCakes118.exe
-
Size
2.5MB
-
MD5
299387006f4c53e094801accf2038d6a
-
SHA1
0ce470db13b5c568d93bcb835ea62713d39dd729
-
SHA256
6f3bc83cebfbca55ab91273f3e30fe64c628a4965fce526ef4e08241568111ff
-
SHA512
6bbf0698a13f453d7c518f4b06b839b818fb533d5894ceae0d4105533150741909e629236e43af8faa21df1f631dd3b889b14f8ac9ab7a5241362530bf58b083
-
SSDEEP
49152:cQTyG5ypIdlm8tJDl1r9ouchzJEzRkRfxxw5mX6AXJANerZA:etpIdA8biuwzokRfj4mX6mA8d
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Services = "C:\\Windows\\FrWall.exe" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe -
Kills process with taskkill 1 IoCs
pid Process 2524 taskkill.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Printable 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DefaultExtension\ = ".xlsm, Excel Macro-Enabled Workbook (*.xlsm)" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\GetSet\0\ = "3,1,32,1" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\GetSet\2\ = "1,1,1,1" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\GetSet\4\ = "NoteshNote,-1,1,1" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\InprocHandler32 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Conversion\Readwritable\Main 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Conversion\Readwritable\Main\ = "ExcelML12,Biff12,ExcelODS12,Biff8" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\ = "Microsoft Excel Macro-Enabled Worksheet" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\ProgID\ = "Excel.SheetMacroEnabled.12" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\AuxUserType\2\ = "Macro-Enabled Worksheet" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\IPersistStorageType = "2" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Implemented Categories 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\GetSet\1 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\LocalServer\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\MiscStatus 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Conversion 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Conversion\Readable\Main 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\MiscStatus\ = "0" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\MainPartContentType = "application/vnd.ms-excel.sheet.macroEnabled.main+xml" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\AuxUserType\2 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510000000000 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\GetSet\1\ = "2,1,16,1" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DocObject 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\GetSet\3\ = "NotesDocInfo,1,1,1" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DocObject\ = "16" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF} 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\AuxUserType 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\GetSet\4 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Verb\1 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\DefaultFile\ = "ExcelML12" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\GetSet\2 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\GetSet\3 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\InprocHandler32\ = "ole32.dll" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\LocalServer 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\ProgID 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Version 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\VersionIndependentProgID\ = "Excel.SheetMacroEnabled" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Conversion\Readable 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\DefaultFile 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\GetSet 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Verb\0 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DefaultIcon 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\OfficeCompliant 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Typelib 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Verb\0\ = "&Edit,0,2" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Version\ = "1.6" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\VersionIndependentProgID 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Conversion\Readable\Main\ = "ExcelML12,ExcelWorksheet,Biff12,ExcelODS12,Biff8" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats\GetSet\0 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Insertable 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Typelib\ = "{00020813-0000-0000-C000-000000000046}" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\AuxUserType\3\ = "Microsoft Excel Macro-Enabled 12" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DataFormats 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\xlicons.exe,1" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\LocalServer\LocalServer = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510000000000 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Verb 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Verb\1\ = "&Open,0,2" 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\AuxUserType\3 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\Conversion\Readwritable 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\DefaultExtension 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\LocalServer32 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\ProgramData\TEMP:BEEA8369 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe File opened for modification C:\ProgramData\TEMP:BEEA8369 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1288 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 1288 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1288 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Token: SeDebugPrivilege 1288 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe Token: SeDebugPrivilege 2524 taskkill.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1288 wrote to memory of 2524 1288 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe 28 PID 1288 wrote to memory of 2524 1288 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe 28 PID 1288 wrote to memory of 2524 1288 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe 28 PID 1288 wrote to memory of 2524 1288 299387006f4c53e094801accf2038d6a_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\299387006f4c53e094801accf2038d6a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\299387006f4c53e094801accf2038d6a_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Modifies registry class
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im ashMaiSv.exe -im mcvsftsn.exe -im Mcdetect.exe -im McTskshd.exe -im mcvsshld.exe -im McVSEscn.exe -im McShield.exe -im mcagent.exe -im oasclnt.exe -im nod32kui.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2524
-